Reliable IT networks for security technology
Building a dedicated IT network for security technology enables the secure and independent operation of critical security components – separated from productive corporate networks. Security cameras, monitoring and alarm systems, as well as electronic locking and access control systems are consolidated within an independent, resilient IT network and centrally managed. This helps reduce manipulation risks, dependencies, and the impact of outages.
In practice, this can be implemented through modern IT network architectures specifically designed for critical infrastructure and OT environments, for example in the form of multilayer OT networks with defined layers (e.g., perimeter, OT, edge, and device levels), clearly assigned functions, and structured connections and transition points.
How does the integration of security technology affect IT network architecture?
In critical infrastructure and OT environments, security systems must be treated as an integral part of the critical infrastructure. Systems such as video surveillance, access control, locking systems, as well as alarm and monitoring technology are therefore subject to the requirements of European directives like NIS-2 (EU 2022/2555) and the CER directive (Critical Entities Resilience, EU 2022/2557).
The networking of these systems must follow a mandatory security and zoning concept. In particular, communication relationships between security systems, control rooms, management systems, and adjacent IT networks must be strictly regulated. Uncontrolled or historically evolved connections contradict these requirements and are highly problematic from both an auditability and compliance perspective. Missing segmentation and undefined transition points lead to unacceptable dependencies and pose risks to availability, integrity, and confidentiality.
Implementation must follow the following mandatory security principles:
- Least privilege: Access rights must be strictly limited to the minimum required and reviewed regularly.
- Zero trust: Every access request must be authenticated, authorized, and logged independently of location or network context. Implicit trust assumptions are not permitted.
- Defense in depth: Security measures must be implemented in multiple, redundant layers so that the failure of individual controls does not compromise the entire system.
Compliance with these principles must be conceptually demonstrated, technically implemented, and continuously monitored during operations. Deviations must be documented, assessed, and remediated.
Integrated partnership solution for reliable security
The combination of networking, video, and physical security technology through the partnership between LANCOM Systems, MOBOTIX, and Kentix enables the implementation of a holistic, standards-compliant security approach for critical infrastructure and OT environments. The integrated consideration of communication infrastructure, sensor-based early hazard detection, and intelligent video analytics aligns with the requirements of governmental directives and recommendations such as the German BSI Act, as well as BSI IT Baseline Protection and IEC 62443, and represents the current state of the art.
MOBOTIX provides cybersecure video surveillance through its decentralized, AI-powered camera systems, where analysis and processing take place directly within the camera itself. This minimizes data flows, reduces central dependencies, and fulfills requirements for data protection, integrity, and system availability.
Kentix complements this approach with an integrated physical security platform that combines access control, environmental monitoring, alarm management, and other security-related functions within a consolidated system, thereby enabling continuous monitoring of critical infrastructures and supporting regulatory requirements (e.g., NIS-2, critical infrastructure regulations).
Such a professional and holistic security technology network enables:
- reduced attack surfaces through decentralized processing and minimized communication relationships
- end-to-end traceability of security-relevant events across system boundaries
- resilient operations, as critical functions can be maintained even in the event of failures of central systems or WAN connections
The joint solution therefore fulfills the key requirements for “security by design” and “defense in depth” and enables operators of critical infrastructures to implement a verifiable, auditable, and scalable security architecture across all levels – from physical site protection to network communication.
![Technical architecture diagram titled “IT architecture: Critical infrastructure security technology (camera, sensor, alarm, and locking systems).” The graphic shows a segmented network and security architecture across the layers “Cloud Layer,” “IT Layer DMZ,” “OT Layer,” “Edge Layer,” and “Device Layer.” In the “Cloud Layer WAN” section, the following cloud services are shown: “LANCOM Management Cloud,” “KentixONE App,” and “MOBOTIX Live App.” Also displayed are: “WAN LANCOM Router,” “Public IP / FQDN,” and “VPN Connection Client-to-Site.” The “IT Layer DMZ” section contains: “Central IT Services,” “IT DMZ Interface,” “NAT / DMZ,” “LANCOM R&S UF-760 Unified Firewall,” and “VPN Site-to-Site.” In addition, each firewall includes symbols for: “Common Criteria,” “Certificate Authority,” “Deep Packet Inspection,” “Intrusion Detection and Prevention System,” and “Reverse Proxy.” The “OT Layer” includes: “OT Services,” “MOBOTIX MXmanagementCenter,” “KENTIX ONE Appliance,” “LANCOM XS-5116QF L3 Switch,” and several “LANCOM R&S UF-260 / UF-60 Unified Firewall” systems. Communication takes place via: “OT Core LAN,” “OT DMZ Interface,” and “NAT / DMZ.” The “Edge Layer” contains: “Edge Layer Container,” “KENTIXONE,” “OT Edge Interface,” VLAN structures, and switches (“LANCOM GS-3628XUP L3 Lite Switch,” “LANCOM IGS-3510XUP L3 Lite Switch,” and “LANCOM XS-3550YUP L3 Lite Switch”). The “Device Layer” shows two locations: “Site A” with VLANs for: “Outdoor Area [Perimeter Zone]”, “Warehouse / High-Bay Warehouse [Operational Zone]” and “Production Hall [Operational Zone]” including various MOBOTIX cameras and KENTIX sensors, locking systems, and alarm systems. “Site B” with VLANs and restricted zones for: “Server Room [Restricted Zone]” and “Energy Management / Transformer Station [Restricted Zone]” including a FaceID terminal as well as various MOBOTIX cameras and KENTIX sensors, locking systems, and alarm systems. The graphic visualizes a segmented critical infrastructure IT architecture with firewalls, VLANs, OT core networks, security zones, as well as video, alarm, access control, and sensor systems for industrial and building security solutions.](/fileadmin/images/solutions/kritis/LANCOM-infographic-KRITIS-OT-security-technology.png "IT architecture for critical infrastructure security technology with camera, sensor, alarm, and locking systems")
IT reference architecture for security technology
Based on the required fundamentals of the BSI OT Security Compendium in the area of IT networks, as well as the capabilities of modern camera, monitoring / alarm, and locking systems, we recommend a powerful, flexible, and scalable IT architecture.
Here you can see how to appropriately connect various security technology components within an operationally reliable and standards-compliant IT architecture:
Integrative IT network architectures for security technology in OT and critical infrastructure environments
5 rules for implementation
IT networks that properly integrate security technology must enable the joint operation of security systems without negatively affecting – or even compromising – their protection requirements. The goal is an IT network architecture that combines and ensures availability, control, and scalability.
Clearly defined zones for security systems
IP cameras, sensors, access control components, and management functions can operate within a shared architecture, but they should not be mixed together in an unstructured manner. Logical or physical segmentation with traceable communication relationships is recommended.
In practice, this often means dedicated zones, for example for camera systems, where end devices are only permitted to communicate with assigned systems such as NVR (Network Video Recorder) or VMS (Video Management System) platforms. Transitions between zones are controlled and technically enforced through firewalls or segment gateways.
Separation from office IT and external networks
Security technology should not operate within the standard corporate IT environment. Connections to other networks must be deliberately designed and technically secured. This reduces lateral movement, simplifies operations management, and protects productive security zones.
Connections to corporate IT are typically implemented through clearly defined transition points such as DMZ or NAT zones, through which selected services (e.g., Active Directory, DNS, or PKI) can be used in a controlled manner without compromising the isolation of the security segments.
Autonomous and resilient operations
As a fundamental principle, an OT security network should function independently. Even in the event of disruptions to adjacent IT systems, WAN outages, or external attacks, surveillance, alarm management, and central security functions must continue to operate and remain available.
In addition, automated mechanisms such as network probes, camera watchdogs, or PoE-based restarts can be used to resolve typical failures without manual intervention and further improve availability.
Encrypted and controlled communication pathways
Video, alarm, and control data must be transmitted in a fully protected, targeted, and traceable manner. Especially in security-critical scenarios, encrypted communication is a fundamental requirement.
In practice, this is often achieved by combining well-established concepts: VPNs (client-to-site or site-to-site connections) for maintenance access and the secure integration of distributed locations, as well as reverse proxies and end-to-end TLS-encrypted connections between all security components to prevent or significantly hinder man-in-the-middle attacks and other forms of manipulation.
Modular scalability
New IP cameras, additional security components, and further access points must be integrable into the existing structure without requiring the underlying IT network architecture to be fundamentally redesigned or frequently modified. Zone-based architectures make it possible to flexibly add new areas or locations without structurally changing existing segments. New cameras or subareas are integrated as separate segments.
This creates an autonomous, segmented, and centrally manageable IT network that supports both operational reliability and digital sovereignty.
Remote maintenance is necessary in many security-related scenarios and should be integrated into the IT architecture concept from the outset rather than improvised during operations. The following principles therefore apply to management systems, video platforms, access control servers, controllers, gateways, and network components:
- No direct access from the internet
- Avoidance of direct pathways into productive security zones
- Service access only through defined, secured, and auditable entry points (e.g., VPN gateways) and transition points (perimeter firewalls, segmented zones, reverse proxies)
- Clearly structured roles, approvals, maintenance windows, and access targets
- All changes, updates, and ongoing service activities follow these principles
In critical infrastructure and OT environments, asset visibility, event logging, alarm chains, incident handling, as well as secure update and change management processes are highly relevant.
These requirements can be implemented through measures such as the following:
- Centralized management with unified configuration, access control, updates, and monitoring: improves transparency and shortens response times in the event of an incident.
- Integrated Security Information and Event Management (SIEM) systems and Network Access Control (NAC) functions: provide visibility into system states, detect anomalies, and technically restrict access when necessary.
In practice, logging is often implemented in multiple layers: centralized management systems record device states and configuration changes, local logs serve as a fallback during connection interruptions, and SIEM platforms correlate events.
For operators of critical or regulated environments, security technology is a governance issue. Communication relationships, roles, changes, remote access, and events must remain traceable and documented. An IT network architecture with zones, controlled transition points, resilient logging, and documented communication paths supports exactly these requirements.
The LANCOM OT / critical infrastructure IT reference architecture creates the necessary foundation for effectively implementing and validating requirements related to segmentation, logging, incident handling, monitoring, and secure operational processes. Depending on the environment, e.g. in Germany, relevant reference frameworks include:
- German Federal Office for Information Security (BSI) Act
- IT Security Act 2.0
- Network and Information Security Directive 2 (NIS2)
- ISO/IEC 27001
- ISO/IEC 27019
- and IEC 62443.
Manual access scenarios and automated processes in IT networks
Which events can occur in OT and critical infrastructure security networks – and what is the correct response?
Manually triggered access scenarios
In object monitoring and security operations, situations repeatedly arise in which manual adjustments or responses – and therefore network access – are required. We present three typical use cases and show how the right network architecture helps maintain security:
Automated processes (machine-to-machine)
Particularly practical: once carefully designed and implemented, your IT / OT network can optimally support building and facility security through automation. The following three use cases show how this works in practice:
Implementing security requirements in critical infrastructure and OT environments starts at the network level. LANCOM Systems provides a sovereign, standards-compliant, and auditable network foundation on which security systems can be operated in a structured and compliant manner. Through consistent segmentation, controlled communication, and centralized management, requirements from the CER directive, NIS-2, and other European guidelines become technically implementable and operationally manageable.
Well-founded network planning with LANCOM ensures that security architectures are designed correctly from the outset and do not require costly corrections later on.
Let us take a look at your upcoming project together! We look forward to hearing from you and will be happy to advise you without obligation.
